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Abstract — We consider a pair-wise independent network where 
every pair of terminals in the network observes a common pair- 
wise source that is independent of all the sources accessible to 
the other pairs. We propose a method for secret key agreement 
in such a network that is based on well-established point-to- 
point techniques and repeated application of the one-time pad. 
Three specific problems are investigated. 1) Each terminal's 
observations are correlated only with the observations of a central 
terminal. All these terminals wish to generate a common secret 
key. 2) In a pair-wise independent network, two designated 
terminals wish to generate a secret key with the help of other 
terminals. 3) All the terminals in a pair-wise independent network 
wish to generate a common secret key. A separate protocol for 
each of these problems is proposed. Furthermore, we show that 
the protocols for the first two problems are optimal and the 
protocol for the third problem is efficient, in terms of the resulting 
secret key rates. 

I. Introduction 

The problem of secret key generation by two terminals, 
based on their respective observations of a common source 
followed by public transmissions between them, was first 
studied by Maurer [4], and Ahlswede and Csiszar [1]. Various 
extensions of this problem have been investigated since then 
(see, e.g., [2], [5], [8], [9], [10]). 

Csiszar and Narayan [3] generalize the secret key generation 
problem to multiple terminals. They consider a model with an 
arbitrary number of terminals, each with distinct observations 
of a common source. A group of terminals wish to generate a 
secret key with the help of other terminals. In generating such 
a key, these terminals are allowed to communicate with each 
other through a noiseless public channel. 

In this paper, we consider a pair-wise independent network 
where every pair of terminals in the network observes a com- 
mon source that is independent of all the sources accessible 
to the other pairs. This model, as a special case of the model 
in [3], is motivated by wireless communications [10], [11]. In 
a wireless communication environment, each pair of wireless 
terminals typically possesses some means of estimating their 
mutual channel. The resulting estimates are highly statistically 
similar, provided that the terminals communicate on the same 
carrier frequency. Moreover, any third terminal's observations 
are essentially uncorrelated with the observations of the first 
two terminals, provided that the third terminal is located at 
least half a wavelength away from those two. 

The main contribution of this paper is the following. We 
propose a method for secret key agreement in the pair-wise 
independent network that is based on well-established point- 
to-point techniques [9], [10] and repeated application of the 



one-time pad. Specifically, we propose protocols for three 
cases of the pair-wise independent model and prove that the 
secret key rates achieved by our protocols are optimal in 
the first two cases. Therefore, the capacity problem in such 
situations is now solved. Furthermore, the efficiency of our 
protocol for the last case is shown through examples. The 
innate connections between the pair-wise independent network 
and graphs can be observed through these protocols. 

II. Preliminaries 

Suppose m > 2 terminals respectively observe n inde- 
pendent and identically distributed repetitions of the random 
variables (X u X 2 , X m ), denoted by (X?,X$,--- ,X») 
with XI 1 = (X iA ,--- ,X i>n ). A group A C {!,■■■ ,m} 
of terminals wish to generate a common secret key, with 
the help of the remaining terminals. To do so, these to 
terminals can communicate with each other through a noiseless 
public channel. The generated group secret key K should be 
nearly statistically independent of the public transmissions. 
The entropy rate of the secret key, viz., H(K)/n, is called a 
secret key rate. The largest achievable secret key rate is called 
the secret key capacity, denoted by Csk(A). It is shown in 
[3] that 



C SK (A)=H{X 1 ,...,X rn ) 



(Ri,...,R m )e1Z(A) 



y.Ri, 



where 



K(A) 



BC {I, 



,Rm) : } Ri > H(Xb\Xb<=), 



,m},A<£B}, 



with X B = {X 3 : j eB} and B c = {1, • • • , m}\B. 

Let (B±, ■ ■ ■ , Bk) be a fc-partition of {1, • • • , to}, such that 
each element Bi, 1 < I < k, intersects with the set A C 
{1, ■ • ■ , to}. Denote by Bk{A) the set of all such A: -partitions. 
Then an upper bound on the secret key capacity is [3] 



Csk(A) < 



1 



2<fe<|A| k — 1 



h(A), 



(1) 



where 

h{A) = 



(B u -,B k )eB k (A) 



k 

E 

i=i 



H{Xbi) — H(Xi, ■ ■ ■ ,X„ 



III. A PAIR-WISE INDEPENDENT NETWORK 



IV. The Broadcast Case 



In this paper, we focus on a pair-wise independent network, 
which is a special case of the network described in Section II. 
Suppose that the observation Xi by terminal i has m — 1 com- 
ponents (Y hl , ■ ■ ■ jF^-x, Y M+ i, • • • ,Y i; m). Each component 
Yij denotes the observation of the source that is accessible 
only to terminals i and j. Furthermore, it is assumed that 

li), .,,.) ,.,:{),., : (k,l) ? = 0. (2) 

This implies that each source accessible to a pair of terminals 
is independent of all other sources-hence, the network is called 
pair-wise independent. 

If a group of terminals in the pair-wise independent network 
generate a common secret key, then an upper bound on the 
secret key capacity is given in the following lemma. 

Lemma 1: In the pair- wise independent network, 



1 



Csk{A)< min — —I' k (A), 

2<k<\A\ K — 1 



(3) 



where 



I' k (A) = min y !■), ,: )',.,). 

jeB r ;l<r 

Proof: Let (B\, ■ ■ ■ , Bf.) be an arbitrary fc-partition be- 
longing to Bk(A). It follows from the independence condition 
© that 

H{X 1 ,-~,X m )= ]T H <YiJ> Y sJ> 

l<i<j<m 

and for 1 < I < k, 

H{X Bl )= J2 H(Y i>j ,Y jti )+ £ H{ yi,i)- 
Then 



J2H(X Bl )-H(X lr -- ,X m ) 
1 

MYij) + H(Y jti ) - H{Y itj ,Y jti )] 

j€B r ;l<T 

Therefore, the upper bound (f3]) follows from ([T]l and the above 
equality. ■ 
The decomposition observed in the proof suggests that a 
graph based approach can be used to study the pair-wise 
independent network. It is our conjecture that the upper bound 
(f3]l is always tight for the pair-wise independent network; we 
demonstrate that this conjecture holds in at least two special 
cases. 



1=1 



In this section, we consider the broadcast case of a pair-wise 
independent network in which the observations of each termi- 
nal in {2, • • • ,m} are correlated only with the observations 
of terminal 1 (called the central terminal). In other words, the 
observation Xi by terminal i / 1 is equal to 7^, and is 
a constant for j / 1. 

By restricting Bk{A) to the set of 2-partitions 

({1,3,- ■■ ,m},{2}),... ,({1,2,--- ,m-l},{m}) 

in J3J, we obtain an upper bound on the secret key capacity 
for the broadcast case 

C SK {{1 •••,«!})< min I(Y hz ; Y ul ). (4) 

2<i<m 

Next, we propose a protocol for the secret key establishment 
among all m terminals. 

Terminals 2, • • • , m begin by separately establishing secret 
keys with the central terminal using the standard techniques 
[4], [1]. This results in to — 1 pair-wise secret keys JsTi^, 
2 < i < to, where Kx i denotes the secret key shared by 
terminals 1 and i. Without loss of generality, these keys are 
stored using a binary alphabet. Let \K\ : i\ denote the length 
of the secret key K\ t i. According to [4], [1], for any e > 0, 
each secret key K\^, as a function of (Y^YPi), satisfies the 
secrecy condition 



I{K hi ; V lti ) < e, 
and the uniformity condition 

H{Kx,i) > {Kxd-e, 



(5) 



(6) 



where Vyj denotes the public transmissions between terminal 
i and the central terminal to generate the pair-wise secret key 
Ki i. It follows from the independence condition © that 



The entropy rate of Ki i is given by [4], [1] 

-H{K lti ) > I{Y u ;Y it i) - e. 



(7) 



(8) 



Let Ki i*, 2 < i* < m, be the shortest key among the to — 1 
generated keys, i.e., \Ki^* \ = min2< J < m This implies 

that 

I(y M .;Yi.,i)= min li)\,:Y,.). (9) 

2<i<m 

The central terminal sends Ki^ © Ky^* to terminal i, where 
Ki : i denotes the first <* | bits of Ki i. At this point, all to 
terminals have Ki^», which is set as the group secret key. The 
independence between Kij* and all the public transmissions 
is shown in the following proposition. 

Proposition 1: For any S > 0, the secret key Ki t i* gener- 
ated above satisfies 



I(Ki,i* ; {Vi,i, Ki,i. © Ki,i :2 <i <m}) <5. 



(10) 



Proof: In the interest of simple notation, we denote 
Ki,i* © Ki ti by Vi,i. Then the left side of (10]) is written 
as 

I(Kl,i*;Vi, 2 ,-~ ,V ltm ,V lt 2,--- ,Vl,m) 

< I(K hl ,;V h2 ,--- ,Vi, m ) 

+I(K hi *,V h2 ,--- ,V hm ;V h2 ,--- ,Vi, m ). (11) 

The former term in ( fTTT i is upper bounded by 

IU\:.,-:\.,2.--- ,Vi, m ) 

m 

< — H(Ki ti \Ki t i* , K lj2 , ■ ■ ■ ,# M _i)] 

i=2 

< 2(m - 2)e, 

where the latter inequality follows from © and ||7). The latter 
term in ( fTTT ) is upper bounded by 

= ^(-^1,2, • ■ • , -K"i,m; Vi 2, • • • , Vi,m) 



= ^/(XL i; %)<(m-l) £ , 



i=2 

where the inequality follows from ||5). This completes the 
proof. ■ 
It follows from ([8]) and (O that the generated secret key 
K\ : i* has a rate close to the upper bound ©. Hence, the 
protocol is optimal. Furthermore, it is not difficult to show 
that the protocol is also optimal for the broadcast case with 
rate constraints (cf., [2]) on the public transmissions. 

V. The Sub-group Key Case 

We now consider a sub-group key generation problem. 
Suppose that, in a pair-wise independent network, terminals 
1 and m wish to generate a secret key with the help of other 
m — 2 terminals. In other words, the sub-group A = {l,m} 
of terminals wish to generate a secret key. 

We begin this section with a short overview of some 
definitions and algorithms related to graphs. Then we propose 
a protocol for the sub-group key generation problem. This 
protocol is based on existing graph algorithms. Further, we 
show that the resulting secret key has a rate close to the 
capacity. 

Let Q = (TV, £ ) be a weighted directed graph. Let s £ TV 
be a source node and t G TV be a destination node in Q. An 
s — t cut of the graph Q is a partition of the nodes TV into 
two sets TVl and TVz such that s 6 TVl and t E TVs. Any edge 
crossing from TVi to TV2 is said to be a cut edge. The weight 
of an s — t cut is the sum of the weights of its edges. An s — t 
cut is minimal if the weight of the s — t cut is not larger than 
the weight of any other s — t cut. 

A network flow is an assignment of flow to the edges of a 
weighted directed graph such that the amount of flow along 
the edge does not exceed its weight. The maximal s — t flow 
problem is to find a maximal feasible flow from the source 



node s to the destination node t. The labeling algorithm [7] 
is known to solve the maximal s — t flow problem. 

By the max-flow min-cut theorem [6], the maximal s — t 
flow is equal to the weight of the minimal s — t cut. 

We now return to the sub-group secret key generation 
problem. It follows from Lemma 1 that the secret key capacity, 
which can be achieved by terminals 1 and m with the help of 
other terminals, is upper bounded by 



Csk({1, m}) < min 

(B ll B 2 )GB 2 ({l,m}) 



I(¥i t j]Yj^i), 



(12) 

where £>2({1, m}) is the set of all 2-partitions of the set 
{1, • ■ ■ , m} such that either atom of a 2-partition intersects 
with {1, m}. 

The upper bound (fT2l can be represented via graphs. 
Consider a weighted directed graph G\ with m nodes, each 
node corresponding to a terminal. The edge from node i to j 
has weight I(Yi,j\ Let node 1 be the source node and 
node m be the destination node. Then the upper bound (fT2l i 
is equivalent to the minimal s — t cut of G\. 

Next, we propose a protocol for the secret key establishment 
between terminals 1 and rn. 

All the terminals begin by establishing pair-wise secret keys 
using the standard techniques [4], [1], This results in (™) 
pair-wise secret keys. Let Kij (= Kji) denote the secret 
key shared by terminals i and j. Each secret key K^, as a 
function of (1^™,^"), satisfies certain secrecy condition and 
uniformity condition as in (0, ©. Further, for any e > 0, 

I(K id ;{K ktl : (k,l) ± (i, j), {j, *)}) < e, (13) 
and the entropy rate of is given by [4], [1] 

~H(K itj ) > I(Y itj ;Y jti ) - e. (14) 

Based on the pair- wise secret key K^j, terminal i can cipher 
\Kij \ random bits with Kij through the one-time pad before 
transmitting these random bits to terminal j (and vice versa). 
This implies the existence of a secure channel between nodes 
i and j with capacity — 

Consider a weighted directed graph G2 with m nodes, each 
node corresponding to a terminal. The weight of an edge 
in the graph is equal to the capacity of the secure channel 
connecting terminals i and j, i.e., Using the labeling 

algorithm [7], one can find the maximal s — t flow F in this 
graph. Accordingly, terminal 1 can securely send random bits 
through the network to terminal m at rate F. Let these random 
bits be the secret key of terminals 1 and m. By arguments 
similar to those used in the proof of Proposition 1, it is easy 
to show that this secret key is nearly statistically independent 
of the public transmissions. 

Proposition 2: Let V denote all the public transmissions 
needed in the protocol above. For any 5 > 0, the secret key 
K generated above satisfies I(K; V) < 5. 

According to the max-flow min-cut theorem [6], the rate 
F of the generated secret key is equal to the minimal s — t 



cut of G2. It follows from ( [Pil l that the minimal s — t cut 
of G2 is close to the minimal s — t cut of G\. Hence, the 
achieved secret key rate is close to the upper bound (fTZt . and 
the protocol is optimal. 

VI. The Group Key Case 

In this section, we examine the problem of all the terminals 
in a pair-wise independent network generating a common 
secret key. We start by a short overview of more definitions 
and algorithms related to graphs. Then we propose a protocol 
for the group secret key generation problem. This protocol is 
based on existing graph algorithms. Finally, we demonstrate 
the efficiency of this protocol through several examples. 

Let Q = (TV, £ ) be a weighted undirected graph. The graph 
Q is said to be connected if for every two distinct nodes i, j € 
TV, there exists a path from node i to node j. Otherwise, the 
graph is said to be unconnected. Define a multi-cut of Q to 
be a partition of the nodes TV into several sets TV, ■ • • 
2 < L < m, with m being the number of nodes in Q. Any 
edge (i, j) 6 £ with end-nodes i, j belonging to different sets 
is said to be a multi-cut edge. The weight of a multi-cut is the 
weight sum of its edges. The normalized weight of a multi-cut 
is the weight of the multi-cut divided by L — 1, where L is the 
number of sets in the partition of Q generating the multi-cut. 

Given a connected undirected graph Q = (TV, £ ), let £ x be 
a subset of £ such that T = (TV, £1) is a tree. Such a tree 
is called a spanning tree. A maximum spanning tree from a 
weighted graph is defined as a spanning tree such that the 
weight sum of its edges is as large as possible. The problem 
of finding a maximum spanning tree can be solved by several 
greedy algorithms. Two examples are Rruskal's algorithm and 
Prim's algorithm (cf., e.g., [6]). 

The upper bound (f3]l on the secret key capacity for the group 
secret key case, i.e., A = {1, • • • ,m}, can be represented 
via graphs. Consider a weighted undirected graph G3 with m 
nodes, each node corresponding to a terminal. The weight of 
an edge in the graph is equal to I(Yij;Yj,i). Note that 
each multi-cut of the graph G3 is equivalent to a partition 
in (0, and the set of all multi-cuts of the graph G3 is 
precisely equivalent to the set of partitions {{B 1: ■ ■ ■ , B^) £ 
£>fc({l, • • • , m}) : 2 < k < m} in (0. Moreover, the normal- 
ized weight of a multi-cut is precisely -j^jl' k ({l, ■ ■ ■ ,m}). 
Consequently, we have the following corollary. 

Corollary 1: The secret key capacity for the group secret 
key case is upper bounded by the minimal normalized weight 
of the multi-cuts of G3. In particular, this upper bound implies 
the following two upper bounds: 

i) . the minimal weight of the cuts of G3, where a cut is a 
multi-cut generated by a partition into 2 sets; 

ii) . the weight sum of all edges in G3 divided by m — 1. 

Next, we propose a protocol for the group secret key 
generation problem. All the terminals begin by establishing 
pair-wise secret keys using the standard techniques [4], [1]. 
Let Kij (= Kj i) denote the secret key shared by terminals i 
and j. These secret keys satisfy the certain secrecy condition, 
uniformity condition, and dl3T >. (TT~4-b . 



Consider a weighted undirected graph G4 with m nodes, 
each corresponding to a terminal. The weight of an edge (i, j) 
in the graph is equal to the lengthQ of the corresponding pair- 
wise secret key Kij, i.e., \Kij\. 

Our group key generation algorithm is related to Lemma 2 
below. This lemma discusses the generation of a single secret 
bit among m nodes, based on a single bit from each of the m— 
1 pair-wise secret keys whose corresponding edges constitute 
a spanning tree. 

Lemma 2: Consider an arbitrary tree connecting m nodes. 
If every pair of neighbor nodes on the tree shares a single 
pair-wise secret bit, then a single secret bit can be generated 
among all m nodes. 

Proof: A simple algorithm on generating a single secret 
bit among all m nodes is illustrated below. 
Single Bit Algorithm: 

Step 1. Randomly pick up an edge from the 

spanning tree. Nodes i* and j* share a secret bit B^j*. 

Step 2. If node i knows Bi* t j*, but its neighbor node j 
does not, then node i sends Bi*j+ © Bi j to node j, where 
Bi j is the secret bit shared by nodes i and j. Upon receiving 
this message, node j is able to decode Bi* t j*. Repeat this step 
until the above condition does not hold. □ 

This algorithm stops when all the nodes are able to decode 
Bi*j*. It is trivial to show the independence between -E>i*,j» 
and the public transmissions. Hence, Bi*j* is a secret bit. ■ 

Our group secret key generation algorithm is given below. 
Group Key Generation Algorithm: 

Let G be the weighted undirected graph G4 defined above. 

Step 1: Determine a maximum spanning tree from G, using 
any known algorithm (e.g., Rruskal's or Prim's). If there is 
more than one maximum spanning tree, randomly select one. 

Step 2: Apply the single bit algorithm to generate a single 
secret bit among all nodes, based on a single bit from every 
pair-wise secret key on the determined maximum spanning 
tree. Note that these used bits will be of no use in the 
remaining group key generation process. 

Step 3: Update the graph by reducing the edge weight by 
1 for the edges on the determined spanning tree. Remove an 
edge when its weight becomes zero. 

Step 4: If the remaining graph G is unconnected, then set 
the group secret key as the collection of all generated secret 
bits. Otherwise, return to Step 1. □ 

Since each iteration of the group key generation algorithm 
leads to a single secret bit, the length of the resulting secret 
key is equal to the number of iterations of the algorithm that 
can be run until the graph becomes unconnected. The purpose 
of searching a maximum spanning tree (rather than picking up 
an arbitrary spanning tree) in Step 1 is to maximize the number 
of iterations of the algorithm by means of "balancing" edge 
weights in the weight reduction procedure. 

By arguments similar to those used in the proof of Propo- 
sition 1, it is easy to show that the secret key resulting from 

'For the purpose of simple notations, we shall use the length, rather than the 
rate, of a secret key as an edge weight. This should not lead to any confusion. 




Original weighted graph Weighted graph after the firs! iteration 
Fig. 1. Example network with 3 nodes 

the above algorithm is nearly statistically independent of the 
public transmissions. 

Proposition 3: Let V denote all the public transmissions 
needed in the protocol above. For any 5 > 0, the secret key 
K generated above satisfies I{K\ V) < S. 

We illustrate the operations of the group key generation 
algorithm through the following example. 

Example 1: Consider a network with 3 nodes. Nodes 1 and 

2 share a secret key of 5 bits; nodes 1 and 3 share a secret 
key of 4 bits; and nodes 2 and 3 share a secret key of 3 bits. 
This network is drawn in the left part of Fig. 1. 

Let the pair- wise secret keys be K\ % = (K\ 2 , ■ • ■ , K\ 2 ), 
K h3 = (Kl >3 , • • • , K* fi ), and K 2 , 3 ' = (K^, • • • , k( 3 ), 
where K^j denotes the k th bit of the secret key shared by 
nodes i and j. 

The spanning tree ((1, 2), (1, 3)) is the maximum spanning 
tree from the graph in the left part of Fig. 1, as it has a larger 
weight (= 9) than other spanning trees. Hence, by the single 
bit algorithm, node 1 transmits K\ 2 © K\ 3 and sets K\ 2 
(or K\ 3 ) as the secret bit. Update the graph by reducing the 
weights of the edges (1,2), (1,3) by 1. This results in the 
graph given in the right part of Fig. 1 . 

By repeating the above process, the determined maximum 
spanning trees and the corresponding public transmissions in 
the next five iterations are 

((1,2), (1,3)), ((1,2), (2,3)), ((1,2), (2,3)), 

((1,3), (2,3)), ((1,2), (1,3)), 

and 

Ki 2 © ^1,3) -^1,2 © ^2,3 J ^1,2 © -^2,3) 
^1,3 ©-^2,3' ^1,2® ^1,3) 

respectively. The algorithm stops after these iterations, as the 
remaining graph is unconnected. The group secret key is set as 
(Kl 2 ,Ki 2 , Kf t2 , K* 2 , ff* 3 , Kl 2 ). By restricting k to \A\ = 

3 and setting Yi j — Yjj — K^j in (01, we find that the length 
of any group secret key in this example cannot be larger than 
6 bits. Hence, the algorithm is optimal. 

For a network with 3 nodes, determining a maximum span- 
ning tree in the group key generation algorithm is equivalent 
to determining a node such that the weight sum of two edges 
connecting with this node is the largest. 



Example 2: Consider a network with m nodes and all ( ™ ) 
edges having the same even weight w — 2u, for a certain 
positive integer u. A secret key of length mu bits can be 
generated by using the group key generation algorithm. On 
the other hand, by restricting k to \A\ = m and setting Yij = 
Yj.i — Kij in (01, we find that the length of any group secret 

key in this example cannot be larger than ^-l = mu bits. 
Hence, the algorithm is optimal. 

Although the group key generation algorithm is shown to 
be optimal in the examples above, its potential non-optimality 
is demonstrated by the following example. 

Example 3: Consider a network with 4 nodes. Each node is 
connected with every other node by an edge of weight 1 . It is 
clear that ((1, 2), (1,3), (1, 4)) is a maximum spanning tree of 
the graph, which means that 1 secret bit can be generated from 
it. However, the updated graph then becomes unconnected, 
resulting in a secret key of 1 bit. 

Nevertheless, the upper bound in (0 can be achieved by 
simply making a better selection from the possible maximal 
spanning trees. One such tree is ((1,2), (2,3), (3,4)). After 
the weight reduction, the new graph is still connected, having 
the spanning tree ((1,3), (1,4), (2,4)). Hence, 2 secret bits, 
which is optimal, can be established in this manner. 

This example suggests the importance of deliberately se- 
lecting a maximum spanning tree in Step 1 of the algorithm. 
What a good selection scheme might look like, and whether 
it would guarantee the optimality of this algorithm, remains 
open. 
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